[jira] [Commented] (NIFI-5366) Implement Content Security Policy frame-ancestors directive

Thu, 06 Sep 2018 07:29:08 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16605845#comment-16605845
 ] 

ASF GitHub Bot commented on NIFI-5366:
--------------------------------------

Github user thenatog commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2989#discussion_r215647422
  
    --- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java
 ---
    @@ -502,6 +503,11 @@ private WebAppContext loadWar(final File warFile, 
final String contextPath, fina
             // add a filter to set the X-Frame-Options filter
             webappContext.addFilter(new FilterHolder(FRAME_OPTIONS_FILTER), 
"/*", EnumSet.allOf(DispatcherType.class));
     
    +        // add a filter to set the Content Security Policy frame-ancestors 
directive
    +        FilterHolder cspFilter = new FilterHolder(new 
ContentSecurityPolicyFilter());
    --- End diff --
    
    I think I thought there was no way to set the Filter name without passing 
the FilterHolder but it looks like if you pass the classname as a string it 
will set the filter name. Setting the filter name is helpful for debugging. 
Looks like most filters being added use the FilterHolder method definition, not 
exactly sure why however.


> Implement Content Security Policy frame-ancestors directive
> -----------------------------------------------------------
>
>                 Key: NIFI-5366
>                 URL: https://issues.apache.org/jira/browse/NIFI-5366
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.7.0
>            Reporter: Andy LoPresto
>            Assignee: Nathan Gough
>            Priority: Major
>              Labels: frame, header, http, security
>             Fix For: 1.8.0
>
>
> The {{X-Frame-Options}} headers [1] currently in place to prevent malicious 
> framing / clickjacking [2] are superseded by and should be replaced by the 
> Content Security Policy frame-ancestors [3] directive. 
> [1] https://tools.ietf.org/html/rfc7034
> [2] https://en.wikipedia.org/wiki/Clickjacking
> [3] 
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to